tests/filestore: Filestore Stream-depth test cases

author Jeff Lucovsky <jeff@lucovsky.org>

Sun, 14 Jun 2020 17:57:38 +0000 (13:57 -0400)

committer Victor Julien <victor@inliniac.net>

Mon, 3 Aug 2020 09:02:55 +0000 (11:02 +0200)
author Jeff Lucovsky <jeff@lucovsky.org>
Sun, 14 Jun 2020 17:57:38 +0000 (13:57 -0400)
committer Victor Julien <victor@inliniac.net>
Mon, 3 Aug 2020 09:02:55 +0000 (11:02 +0200)
diff --git a/tests/filestore-v2.7-stream-depth/input.pcap b/tests/filestore-v2.7-stream-depth/input.pcap

new file mode 100644 (file)

index 0000000..eefa9a0

Binary files /dev/null and b/tests/filestore-v2.7-stream-depth/input.pcap differ
diff --git a/tests/filestore-v2.7-stream-depth/suricata.yaml b/tests/filestore-v2.7-stream-depth/suricata.yaml

new file mode 100644 (file)

index 0000000..46a2d1c
--- /dev/null
+++ b/tests/filestore-v2.7-stream-depth/suricata.yaml
@@ -0,0 +1,16 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+  - stream:
+      reassembly:
+          depth: 1000
+  - file-store:
+      version: 2
+      enabled: yes
+      force-filestore: yes
+      stream-depth: 100000
diff --git a/tests/filestore-v2.7-stream-depth/test.rules b/tests/filestore-v2.7-stream-depth/test.rules

new file mode 100644 (file)

index 0000000..d778d7c
--- /dev/null
+++ b/tests/filestore-v2.7-stream-depth/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (filestore; sid:1; rev:1;)
diff --git a/tests/filestore-v2.7-stream-depth/test.yaml b/tests/filestore-v2.7-stream-depth/test.yaml

new file mode 100644 (file)

index 0000000..842119f
--- /dev/null
+++ b/tests/filestore-v2.7-stream-depth/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  min-version: 5
+  features:
+    - HAVE_NSS
+
+args:
+  - -k none --runmode=single
+
+pcap: input.pcap
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.state: "TRUNCATED"
+        fileinfo.stored: true
+        fileinfo.size: 99400
diff --git a/tests/filestore-v2.8-stream-depth/suricata.yaml b/tests/filestore-v2.8-stream-depth/suricata.yaml

new file mode 100644 (file)

index 0000000..ad56636
--- /dev/null
+++ b/tests/filestore-v2.8-stream-depth/suricata.yaml
@@ -0,0 +1,17 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+  - file-store:
+      version: 2
+      enabled: yes
+      force-filestore: yes
+      stream-depth: 10000
+
+stream:
+  reassembly:
+    depth: 1mb
diff --git a/tests/filestore-v2.8-stream-depth/test.rules b/tests/filestore-v2.8-stream-depth/test.rules

new file mode 100644 (file)

index 0000000..d778d7c
--- /dev/null
+++ b/tests/filestore-v2.8-stream-depth/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (filestore; sid:1; rev:1;)
diff --git a/tests/filestore-v2.8-stream-depth/test.yaml b/tests/filestore-v2.8-stream-depth/test.yaml

new file mode 100644 (file)

index 0000000..13ca74e
--- /dev/null
+++ b/tests/filestore-v2.8-stream-depth/test.yaml
@@ -0,0 +1,25 @@
+requires:
+  features:
+    - HAVE_NSS
+  files:
+    - src/output-filestore.c
+  min-version: 6
+
+args:
+  - -k none --runmode=single
+
+pcap: ../filestore-v2.7-stream-depth/input.pcap
+
+checks:
+
+  - shell:
+      args: grep "SC_WARN_FILESTORE_CONFIG(331)] - file-store.stream-depth value 10000 has no effect since it's less than stream.reassembly.depth value" stdout | wc -l | xargs
+      expect: 1
+
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.state: "CLOSED"
+        fileinfo.stored: true
+        fileinfo.size: 157548
diff --git a/tests/filestore-v2.9-stream-depth/suricata.yaml b/tests/filestore-v2.9-stream-depth/suricata.yaml

new file mode 100644 (file)

index 0000000..aff1fb9
--- /dev/null
+++ b/tests/filestore-v2.9-stream-depth/suricata.yaml
@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+        - alert
+  - file-store:
+      version: 2
+      enabled: yes
+      force-filestore: yes
+      stream-depth: 0
diff --git a/tests/filestore-v2.9-stream-depth/test.rules b/tests/filestore-v2.9-stream-depth/test.rules

new file mode 100644 (file)

index 0000000..d778d7c
--- /dev/null
+++ b/tests/filestore-v2.9-stream-depth/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (filestore; sid:1; rev:1;)
diff --git a/tests/filestore-v2.9-stream-depth/test.yaml b/tests/filestore-v2.9-stream-depth/test.yaml

new file mode 100644 (file)

index 0000000..bdeb303
--- /dev/null
+++ b/tests/filestore-v2.9-stream-depth/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  features:
+    - HAVE_NSS
+  files:
+    - src/output-filestore.c
+  min-version: 6
+
+args:
+  - -k none --runmode=single
+
+pcap: ../filestore-v2.7-stream-depth/input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.state: "CLOSED"
+        fileinfo.stored: true
+        fileinfo.size: 157548
author	Jeff Lucovsky <jeff@lucovsky.org>
	Sun, 14 Jun 2020 17:57:38 +0000 (13:57 -0400)
committer	Victor Julien <victor@inliniac.net>
	Mon, 3 Aug 2020 09:02:55 +0000 (11:02 +0200)
tests/filestore-v2.7-stream-depth/input.pcap	[new file with mode: 0644]	patch \| blob
tests/filestore-v2.7-stream-depth/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/filestore-v2.7-stream-depth/test.rules	[new file with mode: 0644]	patch \| blob
tests/filestore-v2.7-stream-depth/test.yaml	[new file with mode: 0644]	patch \| blob
tests/filestore-v2.8-stream-depth/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/filestore-v2.8-stream-depth/test.rules	[new file with mode: 0644]	patch \| blob
tests/filestore-v2.8-stream-depth/test.yaml	[new file with mode: 0644]	patch \| blob
tests/filestore-v2.9-stream-depth/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/filestore-v2.9-stream-depth/test.rules	[new file with mode: 0644]	patch \| blob
tests/filestore-v2.9-stream-depth/test.yaml	[new file with mode: 0644]	patch \| blob